[ Data Breach Notification Act ] STATUS: Approved by U.S. Senate Judiciary Committee (NOVEMBER 2009) SUMMARY: Sponsored by Senator Diane Feinestein (D-California), this legislation requires any federal agency or business entity engaged in interstate commerce that uses, accesses, or collects sensitive personally identifiable information, following the discovery of a security breach, to notify: (1) any U.S. resident whose information may have been accessed or acquired; and (2) the owner or licensee of any such information that the agency or business does not own or license. The Act exempts agencies and business entities for national security and law enforcement purposes and for security breaches that a risk assessment concludes do not have a significant risk of resulting in harm if specified certification or notice is provided. This exemption is subject to review by the Secret Service. Other exemptions are business entities that employ a security program that blocks the use of sensitive personally identifiable information and provide notice of a breach to affected individuals. Complete listing and links for data security regulations and legislation. More details: Requires notification regarding security breaches under specified circumstances to the Secret Service, the Federal Bureau of Investigation (FBI), the Postal Inspection Service, and state attorneys general. Authorizes the Attorney General to bring a civil action in U.S. district court against any business entity that violates this Act. Sets civil penalties for violations. Amends the Fair Credit Reporting Act to require agencies to include a fraud alert in the file of a consumer that submits evidence of compromised financial information to a consumer reporting agency. Authorizes: Civil actions by state attorneys general to enforce this Act; and sets appropriations for costs incurred by the Secret Service to investigate and conduct risk assessments of security breaches.